AI System Inventory
Project: Pickles GmbH — AI Governance Framework Stage: Stage 2 — Governance Foundation Status: Draft Version: v1 Date: 2026-02-22 Assumptions: Built on outline assumptions — not verified against real Pickles GmbH data
Purpose
This document is the master register of all AI systems operated or deployed by Pickles GmbH [ASSUMPTION — A-001, A-003]. It is the primary reference for risk governance, compliance obligations, and operational oversight across all AI systems.
This register must be maintained as a living document. Every AI system used in production — whether internally developed, procured from a third party, or based on a third-party foundation model — must be registered here before deployment. Unregistered systems must not be deployed.
Regulatory basis: - EU AI Act Article 11 — Technical documentation requirements for high-risk AI systems - EU AI Act Article 12 — Logging and event recording requirements - EU AI Act Article 13 — Transparency and instructions for use - EU AI Act Article 72 — Post-market monitoring - ISO/IEC 42001 Clause A.6 — AI system lifecycle documentation
How to Use This Register
| Action | Instruction |
|---|---|
| New system intake | Complete a new row when a system passes Gate 1 of the AI Intake Approval Workflow (L1-3.3). Risk Classification must be assigned at Gate 2. |
| Risk classification | Use the Risk Classification Framework (L1-3.2) to assign High / Medium / Low tier. |
| Updates | Any change to system name, model type, hosting location, data categories, or deployment status must be reflected within 5 business days. |
| Substantive modifications | Modifications that may affect compliance with EU AI Act requirements (Article 3) must trigger re-classification and re-registration. |
| Decommissioning | Update Deployment Status to "Decommissioned" and record the date. Do not delete rows — retain for audit. |
Column Definitions
| Column | Definition |
|---|---|
| System ID | Unique identifier assigned at registration (format: SYS-001, SYS-002, etc.) |
| System Name | Commercial or internal name of the AI system |
| Purpose | Brief description of the system's function and intended use |
| Internal / Customer-Facing | Whether the system is used internally by Pickles GmbH staff, or deployed to / accessible by external clients |
| Model Type | Type of underlying AI model (e.g., LLM, RAG, Classification Model, Rule-Based System) |
| Hosting Location | Where the system is hosted (e.g., EU cloud provider, German data centre, third-party API, US-based provider) |
| Data Categories Processed | Categories of personal data processed (e.g., general personal data, special categories under GDPR Article 9, criminal convictions under Article 10, no personal data) |
| Risk Classification | High / Medium / Low — assigned using L1-3.2; EU AI Act tier in parentheses |
| System Owner | Named individual responsible for compliance and operational oversight |
| Deployment Status | Development / Staging / Production / Suspended / Decommissioned |
| Monitoring Status | Active Monitoring / Monitoring Pending / Not Required |
System Register
[ASSUMPTION — A-001] The entries below are placeholder rows based on assumed Pickles GmbH product capabilities. All rows must be replaced with verified system data before operational use. System owners must be named individuals, not job titles.
| System ID | System Name | Purpose | Internal / Customer-Facing | Model Type | Hosting Location | Data Categories Processed | Risk Classification | System Owner | Deployment Status | Monitoring Status |
|---|---|---|---|---|---|---|---|---|---|---|
| SYS-001 | Legal Drafting Assistant | AI-assisted generation of legal document drafts (contracts, briefs, correspondence) based on lawyer instructions and templates | Customer-Facing [ASSUMPTION — A-006] | Large Language Model (foundation model — provider unconfirmed [ASSUMPTION — A-004]) | EU-based cloud — unconfirmed [ASSUMPTION — A-005] | General personal data in documents. May include special categories (GDPR Article 9) or criminal data (Article 10) if legal matter involves health, criminal history, or related content [ASSUMPTION] | [ASSUMPTION: Pending — likely High (EU AI Act: potentially High-Risk per Recital 61) if applied to specific client facts; otherwise Medium] | [PLACEHOLDER — named individual required] | Development | Monitoring Pending |
| SYS-002 | Legal Research Engine | AI-powered search and retrieval of case law, legislation, and legal commentary; generates research summaries for lawyer review | Customer-Facing [ASSUMPTION — A-006] | Retrieval-Augmented Generation (RAG) with LLM | EU-based cloud — unconfirmed [ASSUMPTION — A-005] | Incidental general personal data in legal texts. No direct processing of client personal data anticipated [ASSUMPTION] | [ASSUMPTION: Pending — likely Low/Medium (EU AI Act: Minimal-Risk) — ancillary research support] | [PLACEHOLDER — named individual required] | Development | Monitoring Pending |
| SYS-003 | Document Summarisation Tool | Automated summarisation of legal documents (contracts, judgments, regulatory texts) for lawyer review | Customer-Facing [ASSUMPTION — A-006] | Large Language Model (foundation model — provider unconfirmed [ASSUMPTION — A-004]) | EU-based cloud — unconfirmed [ASSUMPTION — A-005] | General personal data and potentially special categories if document content includes health, criminal, or Article 9/10 data [ASSUMPTION] | [ASSUMPTION: Pending — likely Medium (EU AI Act: Limited-Risk) — assistive function requiring review] | [PLACEHOLDER — named individual required] | Development | Monitoring Pending |
| SYS-004 | Internal Operations Tool | AI-assisted internal tooling for Pickles GmbH staff (internal knowledge base search, administrative automation) | Internal | To be confirmed at intake [ASSUMPTION] | EU-based cloud — unconfirmed [ASSUMPTION — A-005] | General personal data of Pickles GmbH staff [ASSUMPTION] | [ASSUMPTION: Pending — likely Low (EU AI Act: Minimal-Risk) — internal administrative use] | [PLACEHOLDER — named individual required] | Development | Not Required |
Systems Pending Registration
Any AI system under evaluation but not yet through Gate 1 of the AI Intake Approval Workflow (L1-3.3) is tracked here. These systems must not be deployed or used with real client data until they complete the full intake process.
| System Name | Current Stage | Date Added | Responsible Person |
|---|---|---|---|
| [PLACEHOLDER] | Pre-intake evaluation | [Date] | [Name] |
Decommissioned Systems
Systems removed from production are retained here for audit and regulatory traceability (EU AI Act Article 72; BDSG Section 76). Do not delete rows.
| System ID | System Name | Decommissioning Date | Reason | Responsible Person |
|---|---|---|---|---|
| — | — | — | — | — |
Register Governance
| Item | Requirement |
|---|---|
| Review frequency | Minimum every six months, or following any system change, incident, or regulatory update |
| Review responsibility | System owner for each system; DPO [ASSUMPTION — A-008] for data category accuracy; Compliance Lead for risk classification |
| New entries | Must pass full AI Intake Approval Workflow (L1-3.3) before Deployment Status is changed to Production |
| Audit trail | Version history must be maintained. Do not delete historical rows. |
| Substantive modifications | Any change that may affect EU AI Act compliance (Article 3) triggers re-classification and, where applicable, new conformity assessment |
Regulatory Cross-References
| Obligation | Regulatory Basis | How This Register Supports Compliance |
|---|---|---|
| Technical documentation for high-risk systems | EU AI Act Article 11 | System ID links to technical documentation pack (Stage 3: L2-4.2) |
| Logging and traceability | EU AI Act Article 12; BDSG Section 76 | System ID used as reference in audit log entries |
| Post-market monitoring | EU AI Act Article 72 | Monitoring Status field triggers monitoring framework (Stage 4: L3-6.1) |
| DPIA requirement | GDPR Article 35; BDSG Section 67 | Data Categories Processed field used to assess DPIA trigger |
| AI risk management | EU AI Act Article 9; ISO/IEC 42001 Clause 8.2 | Risk Classification links to L1-3.2 |
| Transparency obligations | EU AI Act Articles 13 and 50 | Customer-Facing flag triggers disclosure requirements (Stage 3: L2-4.3) |
This register is a governance control document. It must be treated as confidential internal documentation and made available to the DPO, Legal, and relevant regulatory authorities on request.
[LEGAL REVIEW REQUIRED] Before this register is used operationally, a qualified lawyer must confirm: (i) the correct EU AI Act risk classification for each system; (ii) the data categories processed by each system; and (iii) whether any system triggers a mandatory DPIA under GDPR Article 35 or BDSG Section 67.